Messages

1

Tutorials and FAQs / Re: Blocking DNS, Private DNS, DNS over HTTPS and others

« on: November 23, 2024, 08:09:04 pm »

Wow thanks for the list tiermutter. I did a nslookup on the manually entered ones.
mozilla.cloudflare-dns.com
doh.opendns.com
doh.dns.sb
Those are listed in this one-> https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt

Incidentally I had to disable the Aliases check box hit save and then click box to re-enable in order for the new list to be populated. (hope that helps someone) 2,400+ DNS over https servers (DoH) all together.

Where in OS do we plug the above URLs into?
Do they go into Services: Unbound DNS: Blocklist :  URLs of Blocklists ?

2

General Discussion / Re: Am I using the API wrong?

« on: November 22, 2024, 01:05:51 pm »

You probably need the os-api-backup plugin on older versions, if it exists in yours.

https://forum.opnsense.org/index.php?topic=18218.0

That was the first thing that I've done before trying to use the API.

3

General Discussion / Re: Am I using the API wrong?

« on: November 22, 2024, 01:39:19 am »

I tried with 24.7.8 but it should be around for a while.

Does the API work at all in 21.7.8? Upgrading is not an option.

4

General Discussion / Re: Am I using the API wrong?

« on: November 21, 2024, 06:38:31 pm »

Try this endpoint to download the latest configuration:

https://xxx.xxx.xxx.xxx/api/core/backup/download/this

https://github.com/opnsense/core/commit/39b531783

Is that available in a specific version? Which one?

5

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 21, 2024, 05:19:57 pm »

Things to remember are to block all ports 53 and 853 from the LAN that do not target the LAN iface on which the local DNS runs, so that nothing and nobody from the LAN could use external DNS servers over DNS or secure DNS. But then there is HTTP DNS backdoor, for which it is only possible to block specific sites that the violating devices try to leverage.

6

General Discussion / Re: Am I using the API wrong?

« on: November 21, 2024, 05:12:15 pm »

You may want to change your format, you are getting a 400 error, so your request is incorrect:
    curl  -k -u user:secret  https://X.X.X.X/api/core/backup/providers
Response:
    {"items":{"this":{"description":"This Firewall","dirname":"\/conf\/backup"}}}

The HTTP 400 Bad Request client error response status code indicates that the server would not process the request due to something the server considered to be a client error.

With your command format, I still get the same error 400 controller not found. Nothing changed.

7

General Discussion / Am I using the API wrong?

« on: November 16, 2024, 10:41:05 pm »

I registered a user for API access, plugged its key and secret into curl, and got nowhere:

$ curl -k "https://xx.xx.xx.xx/api/core/backup/providers/?key=ABC&secret=XYZ"
{"message":"controller OPNsense\\Core\\Api\\BackupController not found","status":400}$
$ curl -k "https://xx.xx.xx.xx/api/core/firmware/status?key=ABC&secret=XYZ"
$

8

General Discussion / Re: What is the unit for the vertical axis of the system CPU health graph?

« on: November 11, 2024, 12:51:01 am »

The balloon does not show the unit either, but it is now pretty clear what it is.

9

General Discussion / Re: What is the unit for the vertical axis of the system CPU health graph?

« on: November 10, 2024, 11:08:57 pm »

There is only 1 physical, non-HT core on this system.

The more I look at it, the more it seems like the green dot = processes measures literally how many processes are running, whereas the rest of dots (blue, orange, etc.) measure the %CPU load hence the vast difference in magnitude. Is this a plausible theory?

10

General Discussion / What is the unit for the vertical axis of the system CPU health graph?

« on: November 10, 2024, 10:27:52 pm »

This graph looks confusing. 400 what?

11

General Discussion / Re: Configuration backups

« on: November 10, 2024, 04:06:04 pm »

We could use the API to write a simple app that will d/l the config, run it on a schedule, and call it a day.

Having said it, the API does not seem to work as stated in the manual:

https://12.34.56.78/api/core/firmware/status?key=blah&secret=blah

status_msg   "Firmware status check was aborted internally. Please try again."
status   "error"

https://12.34.56.78/api/core/backup/providers/?key=blah&secret=blah

message   "controller OPNsense\\Core\\Api\\BackupController not found"
status   400

This is confusing.

I also tried to connect to the API from a .NET app, but keep getting TLS handshake errors, so I assume that even though it works in the browser, the HttpClient in C# needs the specific API user's PFX file, but I am not able to generate it from CRT and KEY:

openssl pkcs12 -export -out user.pfx -certfile OVPN.crt -inkey user.key -in user.crt
Password required

Huh? Then ask for it! Okay:

openssl pkcs12 -export -out user.pfx -certfile OVPN.crt -inkey user.key -in user.crt -pass 123
pkcs12: Use -help for summary.

Isn't it cute when nothing works?

Hmm, it does not seem like a client cert problem. On another screen in OS I downloaded a P12 file which is supposedly the same thing as PFX and loaded it into the HttpClient. Still the same SSL handshake error. Cute.

12

General Discussion / Re: Do syslog-ng and syslogd services have to run at all times?

« on: November 08, 2024, 02:27:56 pm »

It's a pity that they are required anyway. This is a sub-optimal solution for embedded if a service is required to run even for local logging to in-memory /var.

13

General Discussion / Do syslog-ng and syslogd services have to run at all times?

« on: November 06, 2024, 06:13:04 pm »

Having collected some syslog entries and gone through them, I established that I do not need remote syslog for my router and disabled the remote syslog target. But do I have to let the 2x services in subject to continue to run, or can I shut them down w/o disrupting anything in OpnSense?

14

General Discussion / Re: Syslog captures nothing

« on: November 04, 2024, 02:37:14 pm »

I just tried.

You are right! I did not realize that I had to follow a 3-step enablement process for syslog: create target, enable it, apply it.

15

General Discussion / Syslog captures nothing

« on: November 03, 2024, 05:18:22 pm »

I enabled a remote syslog that is used by many sources on my LAN.
Added a target, selected all in all of the dropdowns, i.e. every application, facility, level, or whatnot is selected.
Still not a single new entry comes to the syslog server from opnsense.
What is required to log to an external syslog server?